From 07f7495ec0d1d7406ccd2c87340a4cf9663a46a2 Mon Sep 17 00:00:00 2001 From: Christos Triantafyllidis Date: Fri, 21 Oct 2011 09:36:04 +0300 Subject: [PATCH] Commas are not allowed before parentensis closure ')' --- selinux/README.md | 60 +++++++++++++++++++ selinux/metadata.rb | 6 ++ selinux/recipes/default.rb | 18 ++++++ selinux/recipes/disabled.rb | 33 ++++++++++ selinux/recipes/enforcing.rb | 33 ++++++++++ selinux/recipes/permissive.rb | 35 +++++++++++ .../templates/default/sysconfig/selinux.erb | 11 ++++ 7 files changed, 196 insertions(+) create mode 100644 selinux/README.md create mode 100644 selinux/metadata.rb create mode 100644 selinux/recipes/default.rb create mode 100644 selinux/recipes/disabled.rb create mode 100644 selinux/recipes/enforcing.rb create mode 100644 selinux/recipes/permissive.rb create mode 100644 selinux/templates/default/sysconfig/selinux.erb diff --git a/selinux/README.md b/selinux/README.md new file mode 100644 index 0000000..f96dd8b --- /dev/null +++ b/selinux/README.md @@ -0,0 +1,60 @@ +Description +=========== + +Provides recipes for manipulating selinux policy enforcement + +Requirements +============ + +RHEL family distribution or other Linux system that uses SELinux. + +## Platform: + +Tested on RHEL 5.6, 6.0 and 6.1. + +Usage +===== + +SELinux is enforcing by default on RHEL family distributions, however the use of SELinux has complicated considerations when using configuration management. Often, users are recommended to set SELinux to permissive mode, or disabled completely. To ensure that SELinux is permissive or disabled, choose the appropriate recipe (`selinux::permissive`, `selinux::disabled`) and apply it to the node early in the run list. For example in a `base` role used by all RHEL systems: + + name "base" + description "Base role applied to all nodes." + run_list( + "recipe[selinux::permissive]", + ) + +Changes +======= + +## v0.5.0: + +* COOK-678 - add the selinux cookbook to the repository +* Use main selinux config file (/etc/selinux/config) +* Use getenforce instead of selinuxenabled for enforcing and permissive + +Roadmap +======= + +Use a node attribute to determine which recipe to load automatically from selinux::default. + +Add LWRP/Libraries for manipulating security contexts for files and services managed by Chef. + +License and Author +================== + +Author:: Sean OMeara () +Author:: Joshua Timberman () + +Copyright:: 2011, Opscode, Inc + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/selinux/metadata.rb b/selinux/metadata.rb new file mode 100644 index 0000000..294ea67 --- /dev/null +++ b/selinux/metadata.rb @@ -0,0 +1,6 @@ +maintainer "Opscode, Inc." +maintainer_email "someara@opscode.com" +license "Apache" +description "Installs/Configures selinux" +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version "0.5.0" diff --git a/selinux/recipes/default.rb b/selinux/recipes/default.rb new file mode 100644 index 0000000..ecf7912 --- /dev/null +++ b/selinux/recipes/default.rb @@ -0,0 +1,18 @@ +# +# Cookbook Name:: selinux +# Recipe:: default +# +# Copyright 2011, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + diff --git a/selinux/recipes/disabled.rb b/selinux/recipes/disabled.rb new file mode 100644 index 0000000..dcb4b58 --- /dev/null +++ b/selinux/recipes/disabled.rb @@ -0,0 +1,33 @@ +# +# Author:: Sean OMeara () +# Cookbook Name:: selinux +# Recipe:: disabled +# +# Copyright 2011, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +execute "disable selinux enforcement" do + only_if "selinuxenabled" + command "setenforce 0" + action :run +end + +template "/etc/selinux/config" do + source "sysconfig/selinux.erb" + variables( + :selinux => "disabled", + :selinuxtype => "targeted" + ) +end diff --git a/selinux/recipes/enforcing.rb b/selinux/recipes/enforcing.rb new file mode 100644 index 0000000..91b8c6c --- /dev/null +++ b/selinux/recipes/enforcing.rb @@ -0,0 +1,33 @@ +# +# Author:: Sean OMeara () +# Cookbook Name:: selinux +# Recipe:: enforcing +# +# Copyright 2011, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +execute "enable selinux enforcement" do + not_if "getenforce | grep -qx 'Enforcing'" + command "setenforce 1" + action :run +end + +template "/etc/selinux/config" do + source "sysconfig/selinux.erb" + variables( + :selinux => "enforcing", + :selinuxtype => "targeted" + ) +end diff --git a/selinux/recipes/permissive.rb b/selinux/recipes/permissive.rb new file mode 100644 index 0000000..aa50956 --- /dev/null +++ b/selinux/recipes/permissive.rb @@ -0,0 +1,35 @@ +# +# Author:: Sean OMeara () +# Cookbook Name:: selinux +# Recipe:: permissive +# +# Copyright 2011, Opscode, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +execute "enable selinux as permissive" do + not_if "getenforce | egrep -qx 'Permissive|Disabled'" + command "setenforce 0" + ignore_failure true + action :run +end + +template "/etc/selinux/config" do + source "sysconfig/selinux.erb" + not_if "getenforce | grep -qx 'Disabled'" + variables( + :selinux => "permissive", + :selinuxtype => "targeted" + ) +end diff --git a/selinux/templates/default/sysconfig/selinux.erb b/selinux/templates/default/sysconfig/selinux.erb new file mode 100644 index 0000000..2b393f0 --- /dev/null +++ b/selinux/templates/default/sysconfig/selinux.erb @@ -0,0 +1,11 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - SELinux is fully disabled. +SELINUX=<%= @selinux %> +# SELINUXTYPE= type of policy in use. Possible values are: +# targeted - Only targeted network daemons are protected. +# strict - Full SELinux protection. +SELINUXTYPE=<%= @selinuxtype %> +